An  Evolutionary  Game-Theoretic  Framework  for 
Cyber-threat  Information  Sharing 


Deepak  Tosh,  Shamik  Sengupta 
Dept  of  Computer  Science  and  Engineering 
University  of  Nevada,  Reno 
dtosh@unr.edu 
s  sengupta  @  unr.  edu 


Charles  Kamhoua,  Kevin  Kwiat 
Air  Force  Research  Laboratory 
Cyber  Assurance  Branch,  Rome,  NY 
Charles. Kamhoua.  1  @us.  af.mil 
Kevin.Kwiat@us.af.mil 


Andrew  Martin 
Department  of  Computer  Science 
University  of  Oxford 
Andrew.Martin@cs.ox.ac.uk 


Abstract — The  initiative  to  protect  against  future  cyber  crimes 
requires  a  collaborative  effort  from  all  types  of  agencies  spanning 
industry,  academia,  federal  institutions,  and  military  agencies. 
Therefore,  a  Cybersecurity  Information  Exchange  (CYBEX) 
framework  is  required  to  facilitate  breach/patch  related  in¬ 
formation  sharing  among  the  participants  (firms)  to  combat 
cyber  attacks.  In  this  paper,  we  formulate  a  non-cooperative 
cybersecurity  information  sharing  game  that  can  guide:  (i)  the 
firms  (players)1  to  independently  decide  whether  to  “participate 
in  CYBEX  and  share”  or  not;  (ii)  the  CYBEX  framework  to 
utilize  the  participation  cost  dynamically  as  incentive  (to  attract 
firms  toward  self-enforced  sharing)  and  as  a  charge  (to  increase 
revenue).  We  analyze  the  game  from  an  evolutionary  game- 
theoretic  strategy  and  determine  the  conditions  under  which  the 
players’  self-enforced  evolutionary  stability  can  be  achieved.  We 
present  a  distributed  learning  heuristic  to  attain  the  evolutionary 
stable  strategy  (ESS)  under  various  conditions.  We  also  show  how 
CYBEX  can  wisely  vary  its  pricing  for  participation  to  increase 
sharing  as  well  as  its  own  revenue,  eventually  evolving  toward  a 
win-win  situation. 

Index  Terms — Cybersecurity,  CYBEX,  Evolutionary  Game 
Theory,  Incentive  Model,  Information  Sharing 

I.  Introduction 

A  robust  cybersecurity  information  sharing  infrastructure 
is  needed  to  protect  a  firm’s  confidential  information  from 
future  cyber  attacks.  This  can  be  difficult  to  achieve  via 
sole  effort  [1],  The  executive  orders  from  the  U.S.  federal 
government  clearly  encourage  firms  to  share  their  cybersecu¬ 
rity  breach  and  patch  related  information  with  other  firms  to 
strengthen  the  nation’s  security  infrastructure.  Among  recent 
cyber  attack  victims  are,  well-known  retail  shops.  Target  Corp, 
and  Neiman  Marcus.  Their  breaches  were  reported  [2]  as 
payment  card  numbers,  personal  information  of  approximately 
70  million  customers.  Cyberattack  on  JP  Morgan  Chase  & 
Co.  [3]  reportedly  compromised  the  accounts  of  76  million 
households  and  7  million  small  businesses.  Disclosure  of  this 
attack  information  to  public  resulted  a  drop  in  its  stock  price 
to  0.9%  and  lost  1.3%  of  its  value.  Thus,  rising  rate  of  cyber 
crimes  can  dramatically  affect  the  revenue  of  firms;  therefore, 
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a  significant  amount  of  resources  are  being  invested  for 
developing  cyber  defenses  to  combat  criminal  cyber  attacks. 

Isolated  research  on  cybersecurity  threat  analysis  and  indi¬ 
vidually  developed  anti-threat  strategies  may  not  be  a  cost- 
effective  way  to  tackle  cyber  crimes  [4].  For  instance,  when 
a  firm  finds  it  has  been  compromised  by  an  attacker,  it 
usually  immediately  invests  time  and  money  to  develop  a 
countermeasure.  At  the  same  time,  another  organization  that 
had  previously  faced  a  similar  attack  would  already  have 
developed  a  countermeasure  for  the  breach.  Incentivized  ex¬ 
change  of  firms’  vulnerability  information,  proactive  security 
breaches,  successful/unsuccessful  breach  or  patch  information 
etc.,  can  be  an  effective  way  for  firms  to  collaboratively  [5] 
improve  their  security  infrastructure  with  efficient  technology 
investment.  However,  currently  the  firms  hesitate  to  share  their 
security  information  with  other  organizations  including  federal 
agencies  due  to  the  following  reasons:  (1)  negative  publicity 
might  affect  their  market  value  and  stock  price;  (2)  sharing 
of  security  holes  with  competing  firms  can  be  risky  if  rivals 
violate  trust  and  take  advantage  of  the  breach  reporting  firm 
directly  or  indirectly  with  the  help  of  third-party  agents.  The 
current  practice  of  using  isolated  cybersecurity  mechanisms 
can  be  highly  expensive  yet  mostly  ineffective  against  the  ever- 
changing  tactics  of  cyber  attackers. 

A  departure  from  this  unpromising  practice  is  seen  in 
the  concept  of  the  Cyber  Security  Information  Exchange 
(CYBEX)  network  and  is  being  investigated  by  network 
and  cybersecurity  personnel,  policy  makers,  governments  and 
economists  to  enable  the  security  information  sharing.  ITU-T 
(International  Telecommunication  Union-Telecommunication) 
took  the  initiative  to  adopt  CYBEX  [6]  to  tighten  cybersecurity 
and  infrastructure  protection.  The  CYBEX  framework  aims  to 
provide  a  service  of  structured  information  exchange  about 
measurable  security  states  of  systems/devices  together  with 
incidents  stemming  from  cyber  attacks.  One  major  challenge 
is  that  the  architecture  of  the  CYBEX  assumes  the  firms  to  be 
always  cooperative  with  each  other;  however,  the  inescapable 
fact  remains  that  firms  compete  with  each  other.  They  com¬ 
pete  for:  more  revenue,  market  share,  and  shareholders.  This 
competition  is  distributed  and  highly  non-cooperative.  There¬ 
fore,  devising  self-enforcement  mechanisms  for  the  firms  to 
participate  in  the  information  sharing  framework  is  necessary. 
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which  will  maximize  the  social  welfares  of  both  participants 
as  well  as  CYBEX  and  security  robustness  of  the  firms.  On  the 
other  hand,  as  CYBEX  aims  to  maximize  its  revenue  through 
participation  cost,  it  is  important  to  study  how  CYBEX  can 
vary  its  pricing  for  participation  to  increase  sharing  as  well  as 
its  own  revenue,  thus  evolving  toward  a  win-win  situation. 

Due  to  limited  academic  literature  on  incentives  or  partic¬ 
ipation  costs,  there  is  little  or  no  understanding  of  the  effec¬ 
tiveness  of  dynamic  participation  cost  on  information  sharing 
as  an  incentive/deterrence  to  induce  firms’  behavior.  This 
underscores  the  question:  how  much  incentive/participation 
costs  should  be  induced  and  when,  to  motivate  the  firms  to 
participate  in  the  CYBEX,  yet  make  the  sharing  system  self- 
dependent  and  self-enforced  so  that  sharing  is  done  directly 
rather  than  through  external  means  only?  Under  such  dynamic 
cost  adjustment  of  CYBEX,  the  firms  must  figure  out  their 
optimal  strategies  (“participate  &  share”  or  not)  to  play  with  so 
that  they  maximize  their  expected  payoff.  One  very  important 
objective  in  this  regard  is  the  existence  of  the  evolutionary 
stable  strategy  (ESS)  [7]  [8]  from  the  firms’  perspective  in  such 
evolutionary  games.  ESS  is  a  strategy  which,  if  adopted  by 
a  population  of  players,  cannot  be  invaded  by  any  alternative 
strategy.  We  aim  to  orchestrate  the  opportunistic  CYBEX  self¬ 
coexistence  game  for  achieving  ESS,  where  the  players  are 
adaptive,  dynamically  evolving  and  most  importantly  playing 
in  an  uninformed  non-cooperative  setting. 

The  rest  of  the  paper  is  organized  as  follows.  The  compo¬ 
nents  of  the  CYBEX  self-coexistence  game  are  described  in 
Section  II.  Section  III  formalizes  and  analyze  the  game  to  find 
the  conditions  under  which  ESS  can  be  achieved.  The  insights 
for  CYBEX  and  the  proposed  distributed  learning  heuristic 
is  also  detailed  in  this  section.  Section  IV  presents  results 
achieved  via  simulation.  Section  V  concludes  the  paper. 

II.  CYBEX  SELF-COEXISTENCE  GAME  FORMULATION 

In  this  work,  we  consider  the  generic  abstraction  of  “always 
rational  and  profit-seeking”  firms.  We  consider  a  market 
scenario,  where  there  are  N  firms  playing  independently  in 
this  game  and  trying  to  decide  whether  to  participate  in  the 
CYBEX  framework  and  share  with  other  firms  by  incurring  a 
participation  cost.  From  CYBEX  point-of-view,  the  decision 
problem  is  how  much  incentive/participation  costs  should 
be  induced  and  when,  to  motivate  the  firms  to  participate 
in  the  CYBEX  framework.  If  CYBEX  charges  too  high  to 
increase  its  revenue,  the  firms  may  possibly  get  deterred 
from  participation,  eventually  reducing  CYBEX’s  revenue.  On 
the  other  hand,  if  CYBEX  charges  too  low  to  attract  firms, 
the  revenue  generated  by  CYBEX  might  be  insufficient  to 
sustain  in  the  market.  Thus  it  is  important  to  investigate,  under 
what  conditions  and  how  CYBEX  can  dynamically  decide 
on  incentive/participation  cost  to  attract  increasing  number  of 
participants  to  share  (which  will  increasingly  strengthen  their 
cyber-defense  capability),  yet  increase  CYBEX’s  revenue.  To 
model  the  firms’  payoff,  the  following  two  components  are 
considered  in  this  work. 


A.  Sharing  and  Investment  Gain 

Assuming  the  firms  invest  for  their  own  cybersecurity 
R&D,  the  firm  directly  benefits  from  its  own  investment. 
Additionally,  an  indirect  reflected  gain  is  received  from  the 
other  firms’  shared  information,  which  can  produce  proactive 
defense,  patches  and  fixes.  Therefore,  exchange  of  this  valu¬ 
able  information  with  other  firms  improves  their  overall  utility. 
Though  participating  in  CYBEX  and  sharing  information  is 
beneficial  for  protecting  the  firms’  assets  from  cyber  criminal 
activities,  the  participation  in  the  CYBEX  architecture  and 
sharing  information  among  the  firms  are  not  cost-free. 

B.  Modeling  Costs  in  CYBEX 

There  exists  a  cost  of  participation  in  the  CYBEX  archi¬ 
tecture,  which  is  defined  by  the  cost  that  the  CYBEX  charges 
the  firms  for  maintenance  as  well  as  certification  (for  sharing). 
Apart  from  the  participation  cost,  there  also  exists  a  cost 
of  information  sharing,  which  has  two  parts:  retrieving  the 
information  for  relevance,  and  the  potential  loss  of  reputation. 
Therefore,  self-enforcement  schemes  need  to  be  devised  to 
motivate  and  attract  the  firms  to  participate  and  share  in 
CYBEX  framework. 

III.  Analyzing  CYBEX  self-coexistence  game 

Once  the  problems  are  identified  and  the  game  is  formalized, 
we  need  to  solve  the  game  for  the  firms.  Solving  a  game  means 
predicting  the  steady  state  strategy  of  each  player  assuming 
they  are  rational.  One  can  see  that  if  the  strategies  from  the 
players  are  mutual  best  responses  to  each  other,  no  player 
would  have  a  reason  to  deviate  from  the  given  strategies  and 
the  game  would  reach  ESS. 

In  this  section,  we  now  analyze  the  CYBEX  self-coexistence 
game  in-depth  and  investigate  if  the  game  has  ESS  and  under 
what  conditions.  We  are  particularly  interested  in  modeling 
incentive/participation  cost  which  can  be  used  as  an  initial  in¬ 
centive  to  attract  the  firms  to  share  in  the  CYBEX  framework. 
The  system  is  aimed  to  be  independent  and  self-enforced,  so 
that  the  information  sharing  nature  of  firms  is  enhanced  even 
without  any  external  stimulant,  which  will  help  the  system 
to  reach  ESS  in  a  self-enforced  manner.  As  far  as  a  decision 
strategy  in  this  game  model  is  concerned,  every  firm  has  the 
binary  strategy  set: 

S  =  {Participate  and  Share  in  CYBEX,  Not  Participate} 

With  the  strategy  set  defined,  we  now  define  the  pairwise 
strategic  form  payoffs  in  Table  I,  when  any  two  of  the  firms 
engage  in  pairwise  interaction. 


Participate  &  Share  Not  Participate 


$a  log(l  +  1 )  —  x  —  c, 

a  log(l  +  1 )  —  x  —  c, 

Participate  &  Share 

Sa  log(l  +  I)  —  x  —  c 

alog(l  +  I) 

a  l°g(  1  +  1), 

al°g(l  +  1), 

Not  Participate 

a  log(l  +  I)  —  x  —  c 

a  log(l  +  I) 

TABLE  I:  Strategic-form  payoffs 
When  firms  are  not  involved  in  the  CYBEX  framework 
(i.e.,  they  neither  participate  nor  share),  the  utility  reward 
to  the  firms  is  dependent  on  only  their  own  investment, 
which  can  be  presented  as  the  following  variant  of  logarithmic 
function,  a  log(l  +  /),  where  /  is  the  amount  of  investment 
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made  by  the  firms  and  a  is  a  simple  scaling  parameter  that 
maps  user  satisfaction/benefit  to  a  dimension  equitable  to  the 
price/monitory  value.  For  the  rationality  constraint,  we  assume 
alog(l  +  I)  >0,  otherwise,  the  firms  would  prefer  to  not 
make  any  investment.  The  logarithmic  gain  function  motivates 
the  players  by  rewarding  for  increasing  steps  towards  security 
investment.  However  the  reward  eventually  saturates  with 
gradually  increasing  investment.  This  is  because  increasing 
the  investment  further  even  beyond  a  certain  threshold  does 
not  necessarily  increase  the  overall  utility  with  a  high  rate  of 
increment,  rather  limiting  and  saturating  the  reward  obtained. 
In  this  symmetric  game  work,  we  assumed  a  fixed  investment 
I  from  every  firm.  In  our  future  work  of  asymmetric  CYBEX 
self-coexistence  game,  we  will  also  assume  different  invest¬ 
ment  values  from  the  firms. 

We  also  assume,  when  both  the  engaged  firms  participate 
in  mutual  sharing,  the  resulting  benefit  for  them  would  then 
stem,  not  just  from  their  own  investment,  but  also  from  their 
sharing.  Thus  we  consider  this  utility  (when  both  the  firms 
sharing  mutually)  as  Sa  log(l+/),  which  can  be  considered  as 
return  on  both  investment  and  sharing.  Again  for  the  rationality 
constraint,  S  >  1,  otherwise  the  player  does  not  have  any 
incentive  of  sharing,  c  is  the  cost  of  participation  in  the 
CYBEX  framework,  i.e.,  the  amount  charged  by  CYBEX  for 
participating  and  x  reflects  the  cost  of  information  sharing  as 
explained  earlier  in  Subsection  II-B. 

However,  when  a  pair  of  firms  are  mutually  interacting, 
while  one  of  them  is  part  of  CYBEX  and  the  other  is  not, 
then  the  utility  to  the  firms  are  given  in  the  top  right  corner 
and  bottom  left  corner  cells.  This  scenario  depicts  the  risk 
of  participating,  where  the  participating  firm  incurs  the  cost 
due  to  participation  in  CYBEX  without  any  additional  sharing 
gain  and  the  other  non-participating  firm  incurring  no  cost  but 
also  not  gaining  anything  due  to  not  sharing.  Note  that,  we 
could  always  use  any  other  complex  values  or  functions  for 
depicting  the  utilities  and  cost,  however,  our  aim  here  is  to 
analyze  the  ESS  and  its  conditions  in  the  game  regardless  of 
the  exact  utility  or  cost  values  as  long  as  the  nature  of  utility 
and  the  costs  follow  the  rationality  constraints  as  required  in 
a  real  market.  For  the  ESS  analysis,  we  modeled  this  game  as 
a  symmetric  game  and  derive  various  conditions  under  which 
different  ESS  can  be  achieved  by  the  group  of  players. 

To  analyze  the  evolutionary  stability  of  the  game,  we  assume 
a  €  [0, 1]  is  the  proportion  of  population  participating  and 
sharing  in  CYBEX.  Then,  according  to  replicator  dynam¬ 
ics  [7] [8],  the  transformation  speed  can  be  given  by 

g(a)  =  a[Eu(sh)  -  Ep]  (1) 

where,  Eu(sh)  is  the  expected  payoff  of  a  player  u  for 
participating  and  sharing,  and  Ep  is  the  average  payoff  in 
the  population.  The  expected  utility  of  “participate  &  share” 
strategy  can  be  given  as 

Eu{sh)  =  a[S'alog(l+/)— x— c]+(l— a)  [a  log(l+/)—  x— c] 
Similarly,  Eu(not)  is  the  expected  payoff  of  a  player  for  not 
sharing,  where  Eu(not)  =  a log(l  +  /).  Hence, 

Ep  =  a[Eu(sh)\  +  (1  -  a)  [Eu(not)\ 


After  simplifications,  the  replicator  equation  given  in 
Eqn.  (1)  can  be  rewritten  as: 

g(a)  =  a(l  —  a)  [a (5  —  l)a  log(l  + 1)  —  x  —  c]  (2) 


For  ESS  to  be  achieved,  there  are  two  conditions  [7],  [8]: 

(1)  the  transformation  rate  should  be  zero,  i.e.,  g(a)  =  0, 
and  (2)  the  neighborhood  of  the  equilibrium  states  (found 
through  condition  (1))  must  also  be  stable.  To  prove  a  strategy 
to  be  evolutionarily  stable,  it  is  necessary  to  verify  that  the 
population  playing  with  ESS  cannot  be  invaded  by  any  other 
individual(s)  playing  with  strategy  other  than  ESS.  If  condition 

(2)  is  not  met,  then  there  is  a  chance  that  any  small  subgroup 
of  player  playing  with  a  random  strategy  other  than  ESS  can 
invade  the  total  population  of  players  playing  ESS. 

For  the  transformation  rate  to  be  zero,  i.e.,  g(a)  =  0, 
there  exists  three  distinct  solutions  of  a,  (i.e.,  three  potential 
equilibrium  states): 

asoh  =  0,asoh  =  l,and  asoh  =  (5_  1)ffllog(1 +  /) 

With  these  three  potential  equilibrium  states,  we  now  need 
to  check  the  stability  of  their  neighborhood  and  then  only 
the  equilibrium  states  can  be  recognized  as  ESS.  For  the 
neighborhood  to  be  stable,  the  condition  of  g'(a)  <  0  must 
hold  true  at  each  of  the  equilibrium  states.  With  the  three 
solutions  of  a,  it  is  found  that 
9'{ot*soll  =0)  =  -x-c 
g\ot*sou  =  1)  =  ~(S  ~  l)alog(l  +  I)  +  x  +  c 


9'{ot*ol  =  asoh)  =  {x  +  c)~ 


{x  +  c)2 

(5-l)olog(l  +  /) 


Therefore  it  is  clear  that  ESS  is  conditioned  upon  the  wise 
choice  of  the  incentive/participation  cost  (c)  and  it  can  be 
used  to  motivate  the  socially  optimal  behavior  and  deter 
non-cooperative  behaviors.  Next,  we  analyze  the  conditional 
constraints  and  show  under  what  bounds  the  population  will 
evolve  toward  sharing  and  under  what  bounds  they  would  not. 


A.  Analyzing  conditional  constraints  for  ESS 

As  can  be  seen  in  the  following,  we  analyze  all  possible 
conditional  constraints  for  ESS,  depending  on  the  incen¬ 
tive/participation  cost  (c),  governed  by  the  CYBEX  system 
for  governance.  Note  that,  the  cost  of  information  exchange, 
x  >  0  as  this  is  an  inherent  cost  for  information  sharing. 

Case  (i):  Let  us  first  assume,  c  >  0  &  c  >  (S—  l)alog(l  + 
/).  Therefore,  g'{a*soh  =  0)  <  0  and  g'(a*soh  =  1)  >  0. 

It  can  be  seen  that  g'(a*ol  )  itself  does  not  hold  as  ot*ol3  >  1 
as  it  must  lie  between  0  and  1.  Hence  a*soli  =  0  is  the 
only  ESS  under  this  condition,  which  implies  that  ESS  for 
the  population  would  be  to  “not  participate”  in  the  CYBEX 
architecture  due  to  high  cost  for  such  activity.  Though  it 
is  intuitive  that  the  population  will  never  participate  in  the 
sharing  framework  because  of  high  participation  cost  (c), 
this  cost  has  an  important  role  in  motivating  the  players  to 
participate,  which  is  discussed  in  the  later  case.  For  numerical 
analysis,  we  show  a  simple  scenario  following  the  above 
conditions  even  when  the  evolutionary  game  initiates  from  a 
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high  “participate  &  share”  population  proportion  a*  =  0.8, 
it  is  found  from  Fig.  1(a)  that  the  individuals  taking  “Not 
Participate”  strategy  could  successfully  invade  the  individuals 
that  are  participating  and  sharing  because  of  no  cost  for 
taking  “Not  Participate”  strategy.  For  all  the  results  found 
from  numerical  analysis,  we  assumed  the  rationality  constant 
5  =  2;  scaling  constant  a  =  3;  and  investment  (/)  as  5  units. 
The  values  of  participation  cost  (c)  and  cost  of  information 
sharing  (x)  are  suitably  varied  for  different  cases  based  on 
each  condition.  For  this  case,  we  assumed  c  =  7.4.  and  x  =  3. 
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Fig.  1:  (a)  Population  proportion  variation  under  constraint 
(i),  (b)  Population  proportion  variation  under  constraint  (ii) 

Case  (ii):  When  c  >  0  &  c  <  (5-  l)alog(l +  /)  such  that 
(c  +  x)  >  (5  -  l)alog(l  +  I).  Therefore,  g'(a*oli  =  0)  < 
0  and  g'(a*soh  =  1)  >  0. 

It  can  be  seen  that  g'{a*sol3)  itself  does  not  hold  true,  as 
a*0,3  does  not  lie  between  0  and  1.  Thus,  a*oli  =  0  is  the 
only  ESS  implying  the  population  still  will  not  choose  to 
participate  in  the  CYBEX  regardless  of  the  initial  proportion 
of  participating  population.  As  the  total  cost  exceeds  the 
sharing  gain,  the  initial  population  taking  the  “Participate  and 
Share”  strategy  can  easily  be  invaded  by  a  small  group  of 
individuals  taking  the  “Not  Participate”  strategy.  The  result 
from  numerical  analysis  is  presented  in  Fig.  1(b)  by  assuming 
c  =  3.4  and  x  =  3,  which  demonstrates  that  irrespective 
of  any  initial  a  value,  the  ESS  is  always  found  to  be  “Not 
Participate”  strategy  and  always  gets  invaded  by  the  population 
of  “Participate  and  Share”  strategy. 

Case  (iii):  When  c>0&c<(5  —  l)alog(l  +  I)  such 
that  (c  +  x)  <  (5  —  l)alog(l  +  I).  Therefore, 


9'«oll  =  0)  <  0,  g\a;ol2  =  1)  <  0 

c  +  x 


oh)  =  (c  +  x) 


1  - 


(S  —  l)alog(l  +  /) 


It  is  clear  that  g'(a*sol3)  >  0.  Hence,  two  possible  ESS 
(a*oii  =  0  and  q*d,2  =  1)  exist  in  this  case,  however  achieving 
a  particular  ESS  depends  on  the  initial  “participate  and  share” 
population  distribution.  ESS  tends  to  “Not  Participate”  if 
0  <  a*  <  (g^atogti+j)  and  ESS  tends  to  “Participate  and 
Share”  if  <  a*  <  1,  where  a*  is  the  initial 

population  fraction  playing  with  participate  and  share  strategy. 
This  clearly  implies  that  if  the  initial  “Participate  &  Share” 
population  fraction  is  more  than  a  certain  threshold/tipping 
value,  cithres  =  (s-i)alog(i+r)’  then  the  rest  of  the  population 
fraction  (which  are  not  sharing)  will  evolve  over  time  and 
will  participate  in  CYBEX,  thus  ESS  tends  toward  “Participate 
and  Share”  strategy.  Alternatively,  if  the  initial  “Participate  & 
Share”  population  fraction  is  less  than  athres,  then  the  gain 
from  the  system  would  not  be  sufficient  enough  to  enforce  the 


entire  population  toward  sharing  rather  ESS  will  tend  towards 
“Not  Participate”  strategy,  thus  showing  the  significance  of 
the  initial  “Participate  and  Share”  population  strength  as 
well  as  the  significance  of  incentive/participation  cost  (c). 
Fig.  2  presents  two  sample  numerical  results  where  the  ini¬ 
tial  population  proportion  of  “Participate  and  Share”  strategy 
a*  =  0.65  and  0.75  respectively,  assuming  c  =  2.4,  x  =  1.5. 
The  simulation  results  validate  the  deflecting  nature  of  ESS 
based  on  the  theoretical  threshold/tipping  value  that  can  be 
computed  numerically  by  using  the  a</,res  expression,  and 
found  to  be  0.72.  From  Fig.  2(a),  it  is  shown  that  most 
individuals  lean  towards  the  “Not  Participate”  strategy,  when 
the  initial  participating  population  proportion  a*  is  below  the 
threshold  value.  However,  when  the  initial  “Participate  and 
Share”  population  is  above  the  threshold  value,  the  population 
evolves  towards  more  participation  as  shown  in  Fig.  2(b).  The 
expected  individual  utility  is  the  reason  for  such  deflection 
in  ESS  because  the  average  utility  to  a  firm  playing  “Not 
Participate”  strategy  is  more,  when  the  proportion  of  players 
playing  the  same  strategy  is  low,  compared  to  the  complement 
strategy  and  vice  versa. 

Case  (iv):  When  c  <  0  such  that  (c  +  x)  <  0,  i.e.,  the 
cost  of  participation  is  negative  implying  the  fact  that  it  is  no 
longer  a  cost  but  rather  a  positive  incentive  given  to  the  firms 
for  enrolling  in  CYBEX  architecture.  Therefore,  g'(a*olt  = 
0)  >  0  and  g'(a*o/2  =  1)  <  0. 

It  is  clear  that  g'(oc*ol3)  itself  does  not  hold  true.  Hence 
a*soi  i  =  0  is  the  only  ESS  under  this  condition,  which  implies 
that  ESS  for  the  population  would  be  to  participate  and  share 
in  the  CYBEX  architecture  regardless  of  initial  a*  value. 
According  to  this  case,  the  total  cost  (c  +  x),  appears  to 
be  an  incentive  for  firms  to  participate,  hence  the  population 
will  eventually  be  inclined  towards  the  “Participate  &  Share” 
strategy  irrespective  of  any  a*  value  as  shown  in  Fig.  3,  where 
c+x  is  assumed  to  be  -1.  The  result  shows  that  the  individuals 
with  “Participate  and  Share”  strategy  could  successfully  invade 
the  “Not  Participate”  strategy  individuals. 


Fig.  3:  Population  proportion  variation  under  constraint  (iv) 


B.  Understanding  the  impact  of  conditional  constraints 
Guidance  for  CYBEX:  The  above  discussion  illustrates  how 
the  evolutionary  stability  structure  of  CYBEX  is  directly 
dependent  on  the  incentive/participation  cost  along  with  initial 
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sharing  population  strategies.  Thus  it  is  of  utmost  importance 
to  model  this  incentive/cost  according  to  the  conditional 
constraints  presented  in  above  to  establish  and  maintain  an 
effective  CYBEX  sharing  system.  These  conditions  not  only 
show  that  ESS  can  be  achieved,  but  also  demonstrate  how  the 
participation  cost  is  a  factor  for  information  exchange  and  the 
utility  obtained  through  sharing.  At  the  start  of  the  game,  if 
the  initial  “participating”  population  is  completely  dispersed 
and  there  is  no  enrollment  in  the  CYBEX  architecture,  our 
analysis  shows  that  using  case  (iv),  incentives  can  be  given  to 
help  and  evolve  the  system  toward  mutual  sharing  rather  than 
charging  cost  of  participation.  Once  the  system  goes  beyond 
the  threshold  (in  terms  of  number  of  players  enrolled  in  CY¬ 
BEX),  then  moving  into  case  (iii),  would  still  ensure  that  the 
system  will  now  self-enforce  in  sharing  without  any  external 
positive  incentive.  Then  the  cost  of  participation  can  be  used 
according  to  the  case  (iii)  above,  which  will  keep  the  system 
stable  and  self-enforced  to  share  even  without  any  external 
incentive.  The  nature  of  the  firms  sharing  would  reciprocate 
the  rest  of  the  firms  thus  evolving  toward  a  cooperative  ESS. 


C.  Learning  heuristic  for  evolutionary  stable  strategy 


Earlier,  we  presented  the  detailed  theoretical  analysis  and 
impact  of  conditional  constraints  for  ESS,  which  outlines 
how  CYBEX  should  dynamically  induce  the  participation 
cost/incentive  to  attract  and  self-enforce  firms  toward  shar¬ 
ing  and  achieve  stability.  However,  in  a  distributed  non- 
cooperative  information  sharing  game,  it  is  also  necessary 
to  design  a  learning  heuristic  for  the  firms  to  decide  which 
strategy  to  play  at  each  stage,  and  how  to  update  their  “strategy 
selection  probability”  based  on  the  utility  feedback  obtained 
from  the  past  game  stages. 

Now,  we  present  the  distributed  learning  algorithm  for  the 
firms  to  reach  ESS.  For  choosing  a  strategy  based  on  the  firms’ 
past  experience,  each  firm  i  £  AT,  maintains  a  probability 
vector,  =  {(p^  (t) ,  p£ \t))  :  p}]  (t)  +  p£’ (t)  =  1}, 

which  defines  the  probability  of  choosing  “Participate  & 
Share”  and  “Not  Participate”  strategy  at  game  stage  t  re¬ 
spectively.  In  each  stage,  all  possible  pairwise  simultaneous 
interactions  are  conducted  from  each  firm’s  perspective,  where, 
each  firm  i  £  AT  sticks  to  a  single  strategy  throughout  the 
stage  and  observes  the  average  pairwise  utility  U:*}lr  (t)  for 


stage  t,  which  is  given  by:  U^ir(t)  = 


y . 

—  ^39 


Uj(si,Sj)  is  the  payoff  to  player  i  from  the  simultaneous 
pairwise  game  between  firm  i  and  j  by  playing  with  strategy 
Si  and  Sj  respectively  at  game  stage  t. 

After  each  game  stage,  the  player  i  updates  its  probability  of 
selecting  strategy  st  by  utilizing  two  different  average  utility 
vectors:  (1)  Ua]g(t ):  average  received  utility,  and  (2) 
average  utility  obtained  by  playing  “strategy  Sj  only”  until 
stage  t,  which  are  defined  as  follows: 


pair  \ 


WF 


pair  \ 

(»i ,Sj)  . 

j — —  where. 


ujjhT)  = 


T 


(3) 


u&s  CO 


ELo  {Upair(t)\ai(t)  =  si} 

T' 


(4) 


where,  cii(t)  is  the  action  of  player  i  at  game  stage  t  and 
player  i  played  strategy  s,  for  T'  number  of  stages  until  stage 
T,  such  that  T'  <  T. 

To  learn  a  stable  strategy  from  the  strategy  set  5,  the  proba¬ 
bility  of  choosing  a  particular  strategy  must  be  reflected  from 
the  average  utility  it  receives  by  playing  that  strategy.  Hence 
the  difference  between  player  z’s  average  utility  obtained  by 
playing  a  particular  strategy  .s,  and  average  utility  out  of  all 
game  stages  will  help  to  decide  the  probability  of  choosing  Sj 
in  future.  Assuming  player  i  played  strategy  Si  £  S  at  (t—  l)th 
stage,  the  probability  of  playing  the  same  strategy  (p}}  (t))  at 
tth  stage  can  be  computed  using  the  update  rule. 


(*)  =  if-  1)  +  k(U®  ( t )  -  U^g  (t))  (5) 


where,  n  £  (0, 1)  represents  the  learning  constant  that  de¬ 
termines  how  fast  or  slow  the  players  will  move  towards 
the  optimal  probability  of  choosing  a  particular  strategy.  The 
probability  of  playing  with  complementary  strategy  (s')  can 
be  given  as:  p'1}  (t)  =  1— p^)(t).  The  Algorithm  1  summarizes 
the  distributed  learning  heuristic. 

Algorithm  1:  Learning  Heuristic  for  ESS  Convergence 

t  Initialize  the  initial  “sharing”  population  proportion  a(0) 
for  “Share”  strategy,  and  utility  matrix  U ; 

2  Initialize  random  strategy  profile, 

pM(0)  =  (p^(0),  1  —  Pi^(0))  Vz  £  Af  ; 

3  for  stage  t  =  1  to  MaxT  do 

4  for  each  firm  i  £  N  do 

s  Select  a  strategy  Sj  £  S  based  on  its  mixed 

strategy  profile  pM(f); 

6  Observe  the  average  utility  reward  u}}r}vr{f)  from 
all  simultaneous  pairwise  interactions; 

7  Update  the  probability  of  selecting  strategy  Sj 
(p's}  {t  +  1))  for  player  i  according  to  equation  5; 

8  Update  the  probability  of  playing  with 
complementary  strategy  s'  as  (1  —  p's}  [t  +  1)); 

9  end 
10  end 


IV.  Experimental  Results 

In  this  section,  we  present  the  simulation  results  for  our 
proposed  mechanism  assuming  the  population  size  as  100, 
rationality  constant  S  and  investment  I  as  2,  and  5  units 
respectively,  which  are  kept  same  for  all  the  experiments.  The 
values  of  x  and  c  are  varied  dynamically  to  maintain  different 
conditions  described  in  Section  III.  The  learning  constant  («) 
is  assumed  to  be  0.07.  Each  stage  represents  all  the  possi¬ 
ble  simultaneous  pairwise  interactions  between  the  players, 
and  they  play  500  such  stages  in  each  experiment.  Unless 
otherwise  mentioned,  the  initial  “Share”  strategy  population 
proportion  is  considered  as  65%. 

In  Fig.  4(a),  we  plot  the  evolution  of  average  utility  over 
the  number  of  stages  for  different  cost  (c)  values.  It  is 
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Fig.  4:  (a)  Average  utility  growth,  (b)  Evolution  of  “Share” 
strategy  population  under  different  participation  cost 

observed  that  when  the  cost  of  participation  (c)  is  negative,  the 
individuals  find  an  incentive  to  participate  and  share.  However, 
when  c  >  0,  the  individuals  choose  to  take  part  and  share  in 
the  framework  opportunistically  depending  on  how  many  other 
players  participate  and  share  in  the  framework.  Therefore,  the 
average  utility  converges  at  high  value  when  the  participation 
cost  is  minimum,  where  the  population  unanimously  play  the 
“Participate  &  Share”  strategy.  As  c  increases  above  certain 
threshold,  the  individuals  find  that  participating  in  sharing 
is  costly  and  switch  to  “Not  Participate”  strategy,  which  is 
why  the  saturated  average  utility  is  less  for  c  =  4  than  1. 
It  is  shown  that  the  proposed  heuristic  helps  the  individuals 
reach  the  evolutionary  stable  state  within  fewer  game  stages 
by  making  them  learn  about  the  expected  utilities  of  different 
strategies.  We  experimented  to  understand  how  quickly  the 
population  adapts  to  ESS,  we  plot  the  growth  of  “Share” 
strategy  population  in  Fig.  4(b).  It  is  clear  that  a  population 
type  either  invades  another  type  or  gets  invaded  by  the  other 
type  depending  on  the  cost  constraints.  If  the  participation 
cost  (c)  is  negative,  then  it  is  intuitive  that  everybody  will 
be  willingly  participate  and  share  because  the  participation 
cost  is  nothing  but  an  incentive.  However,  when  the  cost  is 
positive,  then  the  stable  strategy  depends  on  how  many  other 
members  adopt  that  particular  strategy.  In  our  experimental 
setup,  the  population  converge  to  “Participate  and  Share”  when 
the  initial  sharing  strategy  population  is  65%  or  more  and  cost 
(c)  is  1,  but  they  get  invaded  by  the  rest  of  “Not  Participate” 
strategy  individuals  if  c  increases  to  4  because  the  tipping  point 
requirement  is  now  well  above  65%.  The  important  point  to 
notice  here  is  the  convergence  speed  of  the  proposed  learning 
heuristic,  which  enables  the  firms  to  obtain  their  ESSs  within 
very  few  number  of  game  stages. 


under  static  and  proposed  dynamic  participation  cost,  (b) 
CYBEX’s  gross  revenue  comparison  under  static  and  proposed 
dynamic  participation  cost  charged  by  CYBEX 
To  understand  how  our  proposed  dynamic  participation 
cost/incentive  can  help  CYBEX  to  increase  its  revenue,  we 


simulate  two  scenarios  presented  in  Fig.  5(a):  where  (1)  95% 
individuals  initiated  with  “participate  and  sharing”  strategy  in 
the  beginning  but  CYBEX  charges  a  fixed  amount  (c  =  5) 
towards  participation  all  along,  and  (2)  CYBEX  uses  our 
proposed  dynamic  participation  cost/incentive  mechanism  (as 
per  the  steps  provided  in  Section  111(B)),  even  when  only  5% 
of  total  population  were  sharing  at  starting.  It  is  observed  that 
in  the  scenario  (1),  the  participating  population  percentage 
decreases  over  stages  due  to  the  high  cost  charged  by  CYBEX 
(as  seen  in  Fig.  5(a),  in  red  color  plot).  It  is  also  seen  that  the 
cumulative  revenue  of  CYBEX  over  time  does  not  increase 
constantly  as  firms  leave  the  framework  gradually  (as  seen 
in  Fig.  5(b),  in  red  color  plot).  However  in  scenario  (2), 
CYBEX  could  manage  to  attract  more  firms  to  participate  by 
rewarding  (— c  =  0.5)  them  in  the  beginning.  As  the  number 
of  participants  started  growing  (going  beyond  the  population 
threshold/tipping  point  given  in  case  (iii),  Section  III),  CYBEX 
dynamically  updates  its  participation  cost  within  a  certain 
limit  (based  on  the  cost  conditions  presented  in  case  (iii))  to 
generate  revenue.  But  it  ensures  that  the  cost  raise  do  not  lead 
the  firms  to  leave  the  framework  rather  it  can  still  attract  more 
participants  to  join  so  that  eventually  every  firm  will  be  inside 
the  sharing  framework.  Thus  CYBEX’s  incremental  cost  raise 
can  lead  to  a  win-win  situation,  where  every  firm  participates 
and  shares  to  strengthen  their  security  infrastructure,  and 
CYBEX  also  generate  an  increasing  revenue  as  depicted  in 
Fig.  5(a),  and  (b)  respectively  (blue  color  plots). 

V.  Conclusions 

In  this  research,  we  studied  evolutionary  game  model  to 
understand  how  competing  firms  in  a  non-cooperative  game 
can  decide  independently  to  participate  in  the  CYBEX  and 
share  or  not.  Considering  the  cost  of  participation  in  CYBEX, 
in  addition  to  the  cost  of  sharing,  we  derived  the  conditions 
under  which  ESS  can  be  achieved.  We  proposed  a  distributed 
learning  heuristic  which  lead  the  firms  towards  ESS.  We  also 
showed  that  how  CYBEX  can  wisely  vary  its  incentive  or 
participation  cost  by  the  firms  to  increase  sharing  which  in 
turn  increases  its  own  revenue,  eventually  evolving  toward  a 
win-win  situation. 
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